Scanning Module III Scanning - Definition Scanning is one of the three components of intelligence gathering for an attacker The attacker finds information about the: attacker • Specific IP addresses • Operating Systems • System architecture the: • Services running on each computer The various types of scanning fll are as f o ll ows: Port Scanning Network Scanning Vulnerability Scanning Types of Scanning Port Scanning A i f b i b k • A ser i es o f messages sent b y someone attempt i ng to b rea k into a computer to learn about the computer’s network services • Each associated with a "well-known" port number Network Scanning •A p rocedure for identif y in g active hosts on a network pyg • Either for the purpose of attacking them or for network security assessment Vulnerability Scanning • The automated process of proactively identifying vulnerabilities of computing systems present in a network vulnerabilities of computing systems present in a network Objectives of Scanning To detect the live s y stems runnin g on the network yg To discover which po rts are active / runnin g oo po / g To discover the operating system running on the target system (fi i i ) (fi ngerpr i nt i ng ) To discover the services running/listening on the target system To discover the services running/listening on the target system To disco er the IP address of the target s stem To disco v er the IP address of the target s y stem Checkin g for Live S y stems gy Checking for Live Systems - ICMP Scanning Scanning In this type of scanning, it is found out which hosts are up in a net ork b pinging them all net w ork b y pinging them all ICMP scanning can be run parallel so that it can run fast It can also be helpful to tweek the ping timeout value with the –t o p tion p Angry IP Scanner An IP scanner for Windows Can scan IPs in an y ran g e yg It simply pings each IP address to check if it is alive Provides NETBIOS information such as: • Computer name •Workgroup name dd •MAC a dd ress Angry IP Scanner: Screenshot Checking for Open Ports Three Way Handshake Computer A Computer B 192.168.1.2:2342 syn >192.168.1.3:80 192.168.1.2:2342 < syn/ack 192.168.1.3:80 192.168.1.2:2342 ack >192.168.1.3:80 Connection Established The Computer A ( 192.168.1.2 ) initiates a connection to the server ( 1 9 2.168.1. 3 ) via a p acket with onl y the SYN fla g set Connection Established 93)p y g The server replies with a packet with both the SYN and the ACK flag set For the final step, the client responds back to the server with a single ACK packet If th th t l t d ith t li ti th TCP If th ese th ree s t eps are comp l e t e d w ith ou t comp li ca ti on, th en a TCP connection has been established between the client and the server [...]... Scan) -sS (SYN scan) -sR (RPC scan) -sF (Fin Scan) -sL (List/Dns Scan) -sX (Xmas Scan) -P0 (don’t ping) -sN (Null Scan) -PT (TCP ping) -sP (Ping Scan) -PS (SYN ping) -sU (UDP scans) -PI (ICMP ping) -sO (Protocol Scan) -PB (= PT + PI) -sI (Idle Scan) -PP (ICMP timestamp) -sA (Ack Scan) -PM (ICMP netmask) NMAP Output Format -oN(ormal) -oX(ml) -oG(repable) -oA(ll) NMAP Timing Options -T Paranoid – serial... response i awaited d th is it d If the port sends back a SYN/ACK packet, then it is inferred that a service at the particular port is listening If an RST is received, then the port is not active/ listening As soon as the SYN/ACK packet is received, an RST packet is sent, instead of an ACK, to received sent ACK tear down the connection The key advantage is that fewer sites log this scan Stealth Scan Computer... append_output -iL -p -F (Fast scan mode) -D -S -e -g data length g data_length randomize_hosts -O (OS fingerprinting) -I (dent-scan) -f (f f (fragmentation) -v ( b ) -h (h l ) t ti ) (verbose) h (help) -n (no reverse lookup) -R (do reverse lookup) -r (don’t randomize port scan) -b 192.168.1.3:80 Client sends a single SYN packet to the server on the appropriate port If the port is open then the server responds with a SYN/ACK packet If th server responds with an RST packet, then the remote port i i " l d” the d ith k t th th t t is in "closed” state The client sends the RST packet to close the initiation... resolution will also be carried out TCP Connect / Full Open Scan This is the most reliable form of TCP scanning The Th connect() system call provided b th t() t ll id d by the operating system is used to open a connection to every open port on the machine ACK SYN If the port is open, connect() will succeed If the port is closed, then it is unreachable ACK SYN + ACK War Dialer Technique ... Advanced Traceroute, under all the supported protocols Remote OS fingerprinting Remote uptime guessing R t ti i TCP/IP stacks auditing Hping2 Commands hping2 10.0.0.5 • This command sends a TCP null-flags packet to port 0 of host 10.0.0.5 hping2 10.0.0.5 -p 80 • This command sends the packet to port 80 hping2 -a 10.0.0.5 -S -p 81 10.0.0.25 • This command sends spoofed SYN packets to the target via a trusted... www.debian.org -p 80 -A • This command sends ACK to port 80 of www.debian.org hping www.yahoo.com -p 80 -A • This command checks for IPID responses SYN Stealth / Half Open Scan SYN Stealth / Half Open Scan is often referred to as half open scan because it does not open a f ll TCP connection full ti First, a SYN packet is sent to a port of the machine, suggesting a request for connection, and the response... ICMP Echo Scanning/List Scan ICMP E h S Echo Scanning i • This is not really port scanning, since ICMP does not have a p port abstraction • But it is sometimes useful to determine which hosts in a network are up by pinging them all • nmap -P cert.org/24 152.148.0.0/16 List Scan • This type of scan simply generates and prints a list of IPs/Names without actually pinging or port scanning them • A DNS name... •U Urgent - It is also called as "URG” and states th t th d t t i l ll d d t t that the data contained in the packet should be processed immediately • Finish – It is also called as "FIN“ and tells remote system that there will be no more transmissions • Reset – It is also called "RST” and is used to reset a connection Nmap Nmap is a free open source utility for network exploration l i It is designed . Scanning Module III Scanning - Definition Scanning is one of the three components of intelligence gathering for an attacker The attacker finds information about the: attacker •. Options -sT (TcpConnect) -sW (Window Scan) -sS (SYN scan) -sF (Fin Scan) -sR (RPC scan) -sL (List/Dns Scan) -sX (Xmas Scan) -sN (Null Scan) -P0 (don’t ping) -PT (TCP ping) -sP (Ping Scan) -sU. on the target system To disco er the IP address of the target s stem To disco v er the IP address of the target s y stem Checkin g for Live S y stems gy Checking for Live Systems - ICMP Scanning Scanning In